[ ca ] default_ca = myca [ crl_ext ] # issuerAltName=issuer:copy #this would copy the issuer name to altname authorityKeyIdentifier=keyid:always [ myca ] new_certs_dir = /tmp unique_subject = no certificate = root.cer database = certindex private_key = privkey.pem serial = serialfile default_days = 365 default_md = sha1 policy = myca_policy x509_extensions = myca_extensions default_crl_days = 30 [ myca_policy ] commonName = supplied stateOrProvinceName = supplied countryName = supplied emailAddress = optional organizationName = supplied organizationalUnitName = optional [ myca_extensions ] basicConstraints = CA:false subjectKeyIdentifier = hash authorityKeyIdentifier = keyid:always keyUsage = digitalSignature,keyEncipherment extendedKeyUsage = serverAuth,clientAuth crlDistributionPoints = URI:http://path.to.crl/myca.crl